Cookies are the poster child of online tracking, but they are far from the only method websites use to monitor visitor behaviour. Tracking pixels fire invisibly in the background. Browser fingerprinting builds a profile without writing a single file to the device. Server-side tagging shifts data collection off the browser entirely. Each technique works differently, stores data differently, and falls under different - sometimes overlapping - rules.
Getting the distinction right is not academic. The French CNIL fined Shein EUR 150 million in 2025 for placing advertising cookies before users could consent. Regulators are now applying the same scrutiny to pixels, fingerprinting, and other non-cookie technologies. If your compliance programme only covers cookies, it has a gap.
What Exactly Are Cookies?
A cookie is a small text file that a website instructs the browser to store on a visitor's device. Each subsequent request to the same domain sends that file back, letting the server recognise returning visitors, hold session state, or remember preferences. The Set-Cookie HTTP header controls how a cookie behaves - its domain scope, expiry, and whether JavaScript can read it.
First-party cookies are set by the domain the visitor is actually on. Third-party cookies are set by an external domain, typically an ad network or analytics provider embedded on the page. Browsers like Safari and Firefox block third-party cookies by default. Chrome still allows them but lets users opt out through a choice mechanism introduced after Google abandoned its original plan to deprecate them entirely.
Cookies are well-understood, easy to inspect via browser developer tools, and simple for users to delete. That transparency is precisely why privacy law targeted them first.
Tracking Beyond Cookies: Pixels, Beacons, and Tags
A tracking pixel (also called a web beacon) is a tiny, often invisible image - typically one pixel by one pixel - embedded in a web page or email. When the page loads or the email opens, the browser requests the image from a remote server. That request transmits the visitor's IP address, user agent string, timestamp, and any parameters encoded in the URL. The server logs those details and correlates them across visits.
Unlike cookies, pixels do not write anything to the user's device. The tracking happens entirely through the act of requesting the image. That distinction once led some organisations to argue pixels fell outside the scope of cookie consent rules. The EDPB closed that loophole in its 2023 Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive, confirming that tracking pixels trigger the same consent requirements as cookies because they access information already stored in the terminal equipment.
The CNIL went further in June 2025, launching a public consultation on draft guidance that would require separate, explicit consent for tracking pixels in emails - independent of consent to receive the email itself.
Browser Fingerprinting: No Storage Required
Browser fingerprinting collects attributes from the visitor's device - screen resolution, installed fonts, GPU renderer, time zone, language settings, audio processing characteristics - and combines them into a hash that uniquely identifies the browser. No file is written. No cookie is set. The profile lives entirely on the server.
A 2025 study presented at the ACM Web Conference found that fingerprinting scripts now appear on a significant proportion of popular websites, and that users who explicitly opt out via Global Privacy Control or cookie banners can still be tracked through fingerprinting. Google reversed its long-standing opposition to fingerprinting in February 2025, allowing advertisers using its ad products to employ the technique. The UK's Information Commissioner's Office (ICO) publicly condemned the move, calling it irresponsible.
Under GDPR, fingerprinting data constitutes personal data when it identifies an individual - and it usually does. Recital 30 of the GDPR explicitly references device fingerprints as online identifiers. The ePrivacy Directive catches fingerprinting too, because the scripts that run the fingerprinting routine access information already stored on the terminal equipment. Consent is required.
Local Storage and Session Storage
Local storage and session storage are browser APIs that let websites save key-value data on the visitor's device. Local storage persists until explicitly deleted. Session storage lasts only until the tab or window closes. Both can hold far more data than a cookie - typically 5 to 10 MB versus a cookie's 4 KB limit.
Some websites use local storage as a drop-in replacement for cookies, hoping to avoid consent requirements. That strategy fails. The ICO confirmed in its January 2025 draft guidance on storage and access technologies that local storage, session storage, and IndexedDB all fall under the same PECR rules as cookies. If the data is not strictly necessary for a service the user has requested, consent is required before writing to - or reading from - any of these storage mechanisms.
Server-Side Tracking and Tag Management
Server-side tagging shifts data collection from the visitor's browser to a server the website operator controls. Instead of loading a third-party JavaScript tag (say, the Meta Pixel or Google Analytics snippet) directly in the browser, the site sends event data to its own server endpoint. That server then forwards filtered data to the relevant third-party platforms.
Server-side tracking reduces the number of third-party scripts executing in the browser, which improves page performance and gives the site operator more control over what data leaves the device. It does not eliminate the need for consent. Data is still being collected about an identifiable visitor. The Google Consent Mode v2 framework, for instance, requires consent signals to be enforced end-to-end, including on server-side endpoints, before data is transmitted to Google's systems.
How Cookies and Tracking Technologies Compare
| Technology | Stores data on device? | User can delete? | Blocked by ad blockers? | Consent required (EU)? |
|---|---|---|---|---|
| First-party cookie | Yes | Yes | Sometimes | Yes, if non-essential |
| Third-party cookie | Yes | Yes | Often | Yes |
| Tracking pixel / web beacon | No (server-side log) | No | Sometimes | Yes |
| Browser fingerprinting | No (server-side profile) | No | Partially | Yes |
| Local storage / session storage | Yes | Yes (manual) | No | Yes, if non-essential |
| Server-side tagging | Depends on setup | No | No | Yes |
What Privacy Laws Actually Regulate
Article 5(3) of the ePrivacy Directive is technology-neutral. It applies to "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." That language covers cookies, local storage, fingerprinting scripts, and pixels alike. The EDPB's 2023/2024 Guidelines confirmed this broad scope, listing URL tracking, pixel tracking, local JavaScript processing, advertising identifiers, and IoT device reporting as all potentially within scope.
The GDPR adds a second layer. Whenever any tracking technology processes personal data - and virtually all of them do - a lawful basis is required. For marketing cookies and equivalent tracking, that basis is almost always consent under Article 6(1)(a). Legitimate interest rarely survives the balancing test for advertising and behavioural analytics.
In the US, the CCPA/CPRA framework does not distinguish between cookies and other tracking technologies either. The definitions of "sale" and "sharing" of personal information cover any technology that enables a third party to collect data for cross-context behavioural advertising. Over 20 US states now have comprehensive privacy laws, and several - including California, Colorado, Delaware, and Montana - mandate that websites honour Global Privacy Control signals, which apply to all tracking, not just cookies.
Common Compliance Gaps
Most compliance mistakes stem from treating cookies as the only tracking technology that needs management. Scanning tools detect cookies but may miss fingerprinting scripts, local storage writes, or pixels loaded through tag managers.
Server-side tracking deployed as a "consent workaround" is another gap. Moving data collection to the server does not make it invisible to regulators.
Cookie banners that mention only cookies in their disclosure text can also create problems. If the site uses pixels, fingerprinting, or local storage, those technologies should be disclosed and grouped into the appropriate consent categories alongside cookies.
How to Audit Your Site for All Tracking Technologies
Start with an automated cookie scan to build a baseline inventory. Then open Chrome DevTools, navigate to the Application tab, and inspect Local Storage, Session Storage, and IndexedDB for each origin. Check the Network tab for outbound requests to known tracking domains - look for 1x1 pixel requests, beacon endpoints, and CAPI calls.
Review your tag manager configuration. Google Tag Manager controls when tags fire, but it does not automatically block scripts that execute outside its container. Third-party snippets pasted directly into the site template bypass GTM entirely and may fire before consent is collected.
Map each technology to a consent category and ensure your consent management platform blocks non-essential items until valid consent exists.
Frequently Asked Questions
Are tracking pixels considered cookies under GDPR?
Tracking pixels are not cookies, but they fall under the same legal framework. The EDPB's 2023 Guidelines confirmed that pixels trigger Article 5(3) of the ePrivacy Directive because they access information stored on the user's device. Consent is required before deploying non-essential tracking pixels.
Can browser fingerprinting replace cookies without needing consent?
No. Fingerprinting still requires consent in the EU because the scripts access device information, triggering Article 5(3) of the ePrivacy Directive. The resulting data also qualifies as personal data under GDPR Recital 30, so a lawful basis - typically consent - is needed.
Does server-side tracking eliminate the need for a cookie banner?
No. Server-side tracking changes where data is processed, not whether it is collected. If identifiable visitor data is sent to third parties for analytics or advertising, consent is still required. Google Consent Mode v2 requires consent enforcement on server-side endpoints too.
Is local storage subject to the same consent rules as cookies?
Yes. The ICO's 2025 draft guidance on storage and access technologies confirmed that local storage, session storage, and IndexedDB fall under the same PECR rules as cookies. Non-essential use requires prior consent.
How do I find tracking technologies other than cookies on my site?
Use Chrome DevTools to inspect the Application tab for local and session storage entries. Check the Network tab for outbound pixel requests and beacon calls. Review your tag manager for all active tags, and audit any scripts loaded outside the tag manager container.
Do US privacy laws distinguish between cookies and other tracking?
Generally no. The CCPA/CPRA definitions of "sale" and "sharing" cover any technology that enables third-party collection of personal information for cross-context behavioural advertising. State laws requiring Global Privacy Control support apply to all tracking, not just cookies.
Get a Full Picture of Your Site's Tracking
If your compliance programme only looks at cookies, you are likely missing pixels, local storage entries, and fingerprinting scripts that carry the same legal obligations. Kukie.io scans for cookies and third-party scripts, categorises them, and blocks non-essential technologies until consent is given.
